Physical and Digital Environmentalism: Lessons for Sustainable Cyber

A few months ago, I wrote a blog post for a client about sustainable cybersecurity and learning lessons from environmental contamination in the 1980’s. Recently, the client forwarded me an email asking for more insight into how I see those claims (I worked in an environmental claims unit for an insurance company in the early 00’s) being similar to the way the Internet-of-Things impacts security. The short question was can we substitute “sustainaility” and “environment” for “cyber security”?

The short answer is: kind of. The long answer is more complex.

What exactly happened in the 1970’s and 1980’s?

By the time I arrived on the environmental claims’ scene, most litigation had ended, at least most coverage litigation. However, a brief history of understanding the EPA’s strict liability regulations and impact can help shed some light on my position.

Physical environmental damage arose from three distinct causes:

Dumping

First, let’s start with the obvious nasty in the room. Some chemical companies just poured bad stuff wherever they wanted. They didn’t care as long as they protected the bottom line see A Civil Action or Erin Brockovich . Although they willfully did bad bad things, proving that was often difficult because the companies destroyed internal records. However, in some cases, class action lawsuits managed to obtain the records, causing the companies major financial damage.

Spills

Spills are what we tend to imagine today. A truck has an accident and a whole tanker of chemicals spills onto the road. The initial events were complete accidents, uncontrollable and unexpected.

However, after the accident, the question often became: was the remediation appropriate to prevent long term environmental impacts? Sometimes, the answer was yes. Often, however, the answer was no.

Long-Term Leakage

Long term leakages were more about things that should have been controllable if you were paying attention and doing the appropriate upkeep. Most of these included continuous maintenance such as replacing containers, removing leaky storage tanks, or updating your dry cleaning operations to newer technologies that leached less perc.

How the Government Responded

Ahh yes, the glories of the EPA remediation requirements. In 1980, the federal government enacted the "Comprehensive Environmental Response, Compensation, and Remediation Act (CERCLA), establishing a “strict liability” matrix. Additionally, it created short term and long term remediation requirements and authorized the EPA to find the responsible parties.

The short explanation of this is: If some bad stuff that related to you was found in the environment, you had to pay to clean up the mess.

Now, this would be simple - except that not all contamination was easy to trace back to a source. Take the example of a dry cleaner located in a strip mall near a larger chemical company (Bozeman Superfund Site, I’m looking at you), then all that chemical nastiness would leach into the same water table. The EPA didn’t care that you were a mom-and-pop thinking you were doing the right thing. If they could find any trace of perc, you were liable.

So, you and the chemical company were equally liable to the EPA for the cleanup costs. However, since the insurance companies didn’t want to cover the same amount, they ended up litigating the amounts and cost sharing.

By enforcing the strict liability standard, the EPA ensured that the cleanup would occur (well, someday at least) and made the companies that it blamed responsible for deciding how to pay for it.

Fast Foward to the Data Ecosystem

What I’ve glommed onto since I started working in cybersecurity is how similar the data ecosystem and physical ecosystem are.

Bad Actors are Going to Be Bad

Whether a company is dumping chemicals or data, internal malicious actors will always make terrible and selfish decisions. In short, while a chemical company CEO might plausibly deny purposeful dumping, they were still on the hook for it. The same is true today when we look at malicious internal actors exfiltrating information.

Accidental Spills - Accidental Breaches

We talk all the time in cybersecurity about how there’s no such thing as an accident. It’s always some kind of negligence. In reality, you can get a huge data breach arising from a Zero Day, totally unexpected, uncontrollable, and accidental.

Right, now these aren’t often - but then again, neither are things like the Exxon Valdez spill. So, it’s fair to make a comparison.

Negligence: Continuous Monitoring and Maintenance

Now, this is the real comparison right here. Sure, some spills can’t be controlled. However, the majority of them, such as leaking underground storage tanks (or LUSTs… yes, LUSTs) were the result of poor maintenance and monitoring.

This is our current cybersecurity situation. Even in terms of third-party ecosystem monitoring, a connection exists. In environmental spills, chemicals from that LUST or lack of appropriate chemical control were negligent. In fact, if you and another company were next to each other, you were both equally liable for the cleanup.

Today, in cyber, companies are responsible for their own data breaches but also for those arising from their vendors.

Current Government Responses

In the last few years, we’ve seen the European Union General Data Protection Regulation (EU GDPR), the New York Department of Financial Services (NY DFS) Cybersecurity Rule, and the California Consumer Privacy Act (CCPA) all do the same thing as the EPA rules. In fact, the new suggested technical amendments to the CCPA look an awful lot like a data version of CERCLA.

Functionally, the new regulations treat the data ecosystem the way old regulations treated the physical ecosystem. Clean yourself up. Make sure to do due diligence. Engage in impact and risk reviews. Don’t let others be the reason you’re on the hook for bad stuff getting out into the environment.

What does this mean for IoT Specifically?

Since the question posed to me focused on IoT, and since instead of sending the long-winded response as an email, I’m going to add it here. If a data breach arises from an insecure IoT device, the company using it will be at fault. See healthcare, for instance. A healthcare provider using an IoT device to monitor diabetes would be at risk in the event that the insulin monitoring device leaks patient information.

IoT presents the same concept as the closed-loop versus open-loop dry cleaning machine. From an environmental standpoint, open loop dumped dry cleaning chemicals right out of the machine, often into a catchall location that was later emptied. As environmental cleanups ramped up, the newer machines, or “closed loop,” keep the perc within the system but can leak or leach the chemical into the groundwater. (Note: Safety requirements now enforce closed-loop systems only.)

IoT is currently similar to the old-fashioned open-loop systems. Since the insecure Bluetooth connections can leak data using man-in-the-middle attacks, they are currently not particularly secure. While security groups like the Cloud Security Alliance seek to establish “best practices,” presently no formal industry standard exists. In short, for IoT specifically, we need to create a “closed-loop” security protocol that moves the technology forward towards better protection.

Applying Sustainability To Digital Transformation

Environmental sustainability means harvesting renewable resources, decreasing pollution, and slowing the use of non-renewable resources in a way that benefits the bottom line - both physically and financially.

From a cybersecurity perspective, we need to do the same thing. When we talk about renewable resources in cyber, we’re really focusing on the ways in which we protect information. We can no longer, for example, use point-in-time audit processes because they are outdated. For many organizations, hiring internal pen-testers to do a weekly or daily review is not sustainable. Many organizations can’t afford a security operations center (SOC) of their own. In short, the traditional methods of focusing on data protection are non-renewable resources that cannot protect data now - or in the future.

We need to decrease data pollution. In a lot of ways, this is also similar to environmental sustainability. We collect, store, and transmit more data than necessary. The GDPR and CCPA are a first step toward limiting those processes. Yet, even the recent FEMA breach indicates that we are failing at this. In some cases, human error is contributing to the data pollution. In other cases, companies are lacking vendor risk management monitoring. In still other cases, systems share data automatically without the appropriate configurations. The data pollution across the interconnected ecosystems need to be closely monitored. After all, if you were a kid in the 1980’s, you remember Woodsy Owl telling you “if you give a hoot, don’t pollute.” Woodsy’s entire raison d’être was to make us think about what we were doing before we did it. Within the business and digital ecosystems, we need to start giving a hoot so that we don’t pollute.

Finally, we need to embrace the new technologies that can be the renewable resources. Sure, we hate to use the terms “artificial intelligence” or “machine learning” or “behavioral analytics” because they’ve become buzzwords and people don’t understand them. However, as I’ve worked with many of my clients, I’ve found that some of the technologies are enabling. Are any of them perfect? No, but neither are closed-loop systems. We need to focus on refining the technologies - seeking out the best, encouraging their use, and finding ways to improve them. The non-renewable reporting and auditing standards are being depleted, and renewable sources of information that update regularly need to be found.